From f9d5e53cac1c002e5983efc18e42f5a21444b182 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 21 Aug 2019 17:29:19 +0200 Subject: Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) For the authorizations, order and certificate URLs. See RFC 8555 sec. 7.1. --- client | 22 +++++++++++----------- lacme-accountd.md | 2 +- lacme.md | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) --- a/client +++ b/client @@ -165,16 +165,16 @@ sub request_json_decode($;$$) { ############################################################################# # JSON-encode the hash reference $h and send it to the ACME server $uri # encapsulated it in a JSON Web Signature (JWS). -# https://tools.ietf.org/html/draft-ietf-acme-acme-12 +# https://tools.ietf.org/html/rfc8555 # -sub acme($@) { - my $uri = shift; +sub acme($;$) { + my ($uri, $h) = @_; die "Missing nonce\n" unless defined $NONCE; # Produce the JSON Web Signature: RFC 7515 section 5 my %header = ( alg => 'RS256', nonce => $NONCE, url => $uri ); defined $KID ? ($header{kid} = $KID) : ($header{jwk} = $JWK); - my $payload = encode_base64url(json()->encode({ @_ })); + my $payload = defined $h ? encode_base64url(json()->encode($h)) : ""; my $protected = encode_base64url(json()->encode(\%header)); my $data = $protected .'.'. $payload; $S->printflush($data, "\r\n"); @@ -204,7 +204,7 @@ sub acme_resource($%) { request(HEAD => $RES{newNonce}); } my $uri = $RES{$r} // die "Unknown resource '$r'\n"; - acme($uri, @_); + acme($uri, {@_}); } # Set the key ID (registration URI) @@ -237,7 +237,7 @@ if ($COMMAND eq 'account') { if ($r->is_success()) { $KID = $r->header('Location'); - $r = acme($KID, %h); + $r = acme($KID, \%h); request_json_decode($r, 1, \*STDOUT) if $r->is_success() and $r->content_type() eq 'application/json'; } @@ -264,7 +264,7 @@ elsif ($COMMAND eq 'newOrder') { my $order = request_json_decode($r); foreach (@{$order->{authorizations}}) { - my $authz = request_json_decode(request(GET => $_)); + my $authz = request_json_decode(acme($_)); next unless $authz->{status} eq 'pending'; my $identifier = $authz->{identifier}->{value}; @@ -288,7 +288,7 @@ elsif ($COMMAND eq 'newOrder') { die "Can't open $challenge->{token}: $!"; } - $r = acme($challenge->{url}); + $r = acme($challenge->{url}, {}); # poll until the status become 'valid' # XXX poll the order URL instead, to get the status of all @@ -298,7 +298,7 @@ elsif ($COMMAND eq 'newOrder') { $resp = request_json_decode($r), $status = $resp->{status} // 'pending', $status ne 'valid'; - $r = request('GET' => $challenge->{url})) { + $r = acme($challenge->{url}, {})) { if (defined (my $problem = $resp->{error})) { # problem document (RFC 7807) my $msg = $problem->{status}; $msg .= " " .$problem->{title} if defined $problem->{title}; @@ -321,7 +321,7 @@ elsif ($COMMAND eq 'newOrder') { } } - $r = acme($order->{finalize}, csr => encode_base64url($csr)); + $r = acme($order->{finalize}, {csr => encode_base64url($csr)}); my $resp = request_json_decode($r); my $uri = $resp->{certificate}; @@ -329,7 +329,7 @@ elsif ($COMMAND eq 'newOrder') { # pool until the cert is available for (my $i = 0;;) { - $r = request('GET' => $uri); + $r = acme($uri); die request_status_line($r), "\n" unless $r->is_success(); last unless $r->code == 202; # Accepted my $retry_after = $r->header('Retry-After') // 1; --- a/lacme-accountd.md +++ b/lacme-accountd.md @@ -141,7 +141,7 @@ See also [`lacme`(1)], [`ssh`(1)] -[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-02 +[ACME]: https://tools.ietf.org/html/rfc8555 [`lacme`(1)]: lacme.1.html [`signal`(7)]: http://linux.die.net/man/7/signal [`gpg`(1)]: https://www.gnupg.org/documentation/manpage.en.html --- a/lacme.md +++ b/lacme.md @@ -412,7 +412,7 @@ See also [`lacme-accountd`(1)] -[ACME]: https://tools.ietf.org/html/draft-ietf-acme-acme-12 +[ACME]: https://tools.ietf.org/html/rfc8555 [`lacme-accountd`(1)]: lacme-accountd.1.html [`iptables`(8)]: http://linux.die.net/man/8/iptables [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html